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DETAILED ACTION 

This action is in response to the communication filed on 4/7/09. 

All objections and rejections not set forth below have been withdrawn. 

Claims 36 - 70 are pending. 



Claim Rejections - 35 USC § 101 



35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 53 - 70 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. Specifically, these claims 
comprise recitations directed towards software per se (e.g. Specification, pg. 6, line 27 - 
pg. 7, line 5). As software fails to fall within any of the statutory categories of invention, 
these claims are rejected as non-statutory. 



Claim Rejections - 35 USC § 102 



The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
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A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

Claims 36 - 39, 50, 51, 53 - 56, 67, 68, and 70 are rejected under 35 
U.S.C. 102(b) as being anticipated by Crosbie, U.S. Patent Publication, 
2002/0046275. 

Regarding claim 53, Crosbie discloses: 

system resources and having a plurality of processes running thereon, 
comprising analysis modules configured for monitoring, for at least two processes in 
said plurality, a set of system primitives that allocate or release said system resources 
(Crosbie, fig. 2:210, 220 ,230, 240; par. 114). 

Regarding claims 54 and 55, Crosbie discloses: 

wherein said analysis modules are configured for monitoring all the system 
primitives that allocate or release said system resources; wherein said analysis modules 
are configured for monitoring exclusively those system primitives that allocate or release 
said system resources (Crosbie, par. 116). 

Regarding claim 56, Crosbie discloses: 

wherein said analysis modules are selected from the group of: at least one 
application knowledge module tracking the processes running on said system and 
monitoring resources used thereby, a network knowledge module monitoring 
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connections by said processes running on said system, a file-system analysis module 
monitoring the file-related operations performed within said system, and a device 
monitoring module monitoring operation of commonly used modules with said system 
(Crosbie, fig. 2:210, 220, 230, 240). 

Regarding claim 67, the Crosbie enables: 

comprising a plurality of modules for performing said monitoring, said plurality of 
modules comprising a first set of components depending on the system being monitored 
and a second set of components that are independent of the system being monitored 
(Crosbie, par. 68; fig. 2:270 vs. 240). 

Regarding claim 68, the Crosbie enables: 

wherein said first set of modules comprises at least one module selected from 
the group of: a device driver for intercepting the system calls associated with said 
primitives in said set; a kernel information module configured for reading information for 
all processes running on said monitored system; and a system call processor 
configured for reading the binary data related to the system calls of said system and 
translating them into respective higher-level system call abstractions (Crosbie, fig. 
2:270). 
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Regarding claims 36 - 39, 50, 51, and 70, they comprise essentially the similar 
limitations as claims 53 - 56, 67, and 68 and they are rejected, at least, for the same 
reasons. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 40 - 49, 52, 57 - 66, and 69 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Crosbie in view of Ghosh et al. (Ghosh), U.S. Patent 
7,181,768. 

Regarding claim 57, Crosbie discloses an IDS system employing "misuse 
detection" wherein system parameters are compared to known templates of intrusive 
activity (Crosbie, par. 15, 58, 87, 207, 217). However, Crosbie does not appear to 
explicitly disclose the features of "anomaly detection". 

Ghosh discloses that an IDS system may employ both "misuse detection" and 
"anomaly detection" within the same system (Ghosh, 2:40-44; 2:44-3:8; 4:56-59; 5:15- 
28). 
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It would have been obvious to one of ordinary skill in the art to employ teachings 
of Ghosh within the system of Crosbie. This would have been obvious because one of 
ordinary skill in the art would have been motivated by an improved system that 
combines the advantages of each method (e.g. Ghosh, 4:56-59). 

Thus the combination enables: 

wherein said set of primitives monitored identifies a state of said processing 
system, comprising a detection component configured for recording a current state of 
said system over a current period of time and a previous state of the system over a 
previous period of time, revealing any differences between said current state of the 
system and said previous state of the system, and detecting any such difference 
revealed as a likely anomaly in the system (Crosbie, par. 192; Ghosh, 6:20-38; 10:56- 
11:14). 

Regarding claim 58, the combination enables: 

wherein said detection component is configured for running a learning stage to 
generate said previous state of the system based on said learning stage (Ghosh, 6:20- 
38). 

Regarding claim 59, the combination enables: 

wherein said detection component is configured for correlating a plurality of said 
anomalies detected and deciding whether these identify a dangerous event for the 
system (Ghosh, 6:20-38; 10:56-1 1 :14). 
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Regarding claim 60, the combination enables: 

wherein said detection component is configured for emitting an alert signal 
indicative of any dangerous event for the system identified (Crosbie, par. 84). 

Regarding claim 61, the combination enables: 

wherein said detection component is configured for: generating a sequence of 
said anomalies; producing a sequence of pre-conditions in a rule base; and if said 
sequence of anomalies at least loosely matches said sequence of pre-conditions, 
issuing a resulting alert signal (Crosbie, par. 84; Ghosh, 1 1 :1 -14). 

Regarding claim 62, the combination enables: 

wherein said detection component is configured for assigning respective weights 
to said anomalies in said plurality, each said weight being indicative of the criticality of 
the event represented by the anomaly to which the weight is assigned (Ghosh, 4:63- 
5:12). 

Regarding claim 63, as best understood, the combination enables: 
wherein said detection component is configured for associating with each 
anomaly a value of the weight at the previous alert signal emission time plus the current 
value modulated with an exponential decay factor, whereby the significance thereof 
decreases overtime (Ghosh, 5:8-14). 
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Regarding claim 64, the combination enables: 

wherein said processing system operates on process identifiers (PID), whereby a 
plurality of anomalies are detected for the same process identifier, and said detection 
component is configured for aggregating said anomalies over time according to the 
following formula: Wi+ 1 .function. (t) = Wi .function. (T i + 1 - T i ) + LA i + 1 exp ( - 1 
- T i .tau. ) W0 = 0 where W.sub.i is the weight of a user level alert signal associated 
with the common stream of anomalies, when the i-th anomaly is detected; T.sub.i is the 
time of detection of the i-th anomaly, LA.sub.i is the weight associated to the i-th 
anomaly and .tau. is a time-decay constant (Ghosh, 6:27-38; 1 1 :9-14). 

Regarding claim 65, the combination enables: 

wherein said detection component is configured for correlating said anomalies in 
said plurality by mapping them into respective fuzzy sets (Ghosh, 4:58; 9:31 -44; 8:14- 
19). 

Regarding claim 66, the combination enables: 

wherein said monitoring comprises an information gathering component 
configured for intercepting low-level data within said system watching for changes in the 
state of the system, thus providing data to be analyzed in said anomaly detection 
(Crosbie, par, 15). 
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Regarding claim 69, the combination enables: 

comprising a current state module monitoring all processes running on the 
system monitored and all file descriptors and the socket description used by each said 
process to produce an instantaneous state of the system monitored (Crosbie, par. 192; 
Ghosh, 6:20-38; 10:56-11:14). 

Regarding claims 40 - 49, 52, they comprise essentially the similar limitations as 
claims 57 - 66, and 69 and they are rejected, at least, for the same reasons. 

Response to Arguments 

Applicant's arguments filed 4/7/09 have been fully considered but they are not 
persuasive. 

Applicant essentially argues on page 11 of the Remarks: 

For example, independent claim 53 recites "[a]n apparatus for monitoring 
operation of a processing system," which is clearly not just "software." This is also 
clearly explained in the specification at, for example, pp. 8-1 1 , which discusses that the 
apparatus has "model" and "real system" components. Applicants' claimed "apparatus" 
is clearly statutory under 35 U.S.C. {} 101 . Therefore, independent claim 53 should be 
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allowable. Claims 54-69 should also be allowable, at least by virtue of their dependence 

Examiner responds: 

The examiner respectfully notes, contrary to the applicant's suggestion, that 
there is nothing inherently statutory pertaining to the recitation of an apparatus (i.e. a 
means for functionality). Furthermore, as recited, the applicant's claim is directed 
towards an "apparatus" comprising essentially software "modules" (e.g. Specification, 
pg. 6, line 27 - pg. 7, line 5). Applicant fails to recite further subject matter pertaining 
to apparatus that would dwell within bounds of statutory subject matter. As software 
fails to fall within any of the statutory categories of invention, these claims are rejected 
as non-statutory. 

Applicant essentially argues on pages 11 and 12 of the Remarks: 

Specifically, Crosbie does not disclose or suggest at least Applicants' claimed 
"the step of monitoring, for at least two processes in said plurality, a set of system 
primitives that allocate or release said system resources ," as recited in independent 
claim 36 (emphases added, independent claim 53 containing similar recitations). 

In contrast ... However, Crosbie 's IDS does not monitor "processes" "running" 
on a process system, as recited in claims 36 and 53. Rather, Crosbie's IDS operates 
based on, for example, a weekly schedule and utilizes stored data in log files. 
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Examiner responds: 

In response, the examiner respectfully points out that the monitoring of a plurality 
of processes is clearly disclosed throughout the prior art (e.g. see Crosbie, par. 15, 67, 
205, 206). The use of log records appears to be, at least, one of a means utilized by 
the prior art for monitoring a plurality of processes running on a system. Logically, it is 
noted that the utilization of a particular means for monitoring processes does not 
somehow signify that monitoring of processes does not occur. 

Applicant essentially argues on page 12 of the Remarks: 

Moreover, Crosbie's IDS does not require a specific type of system calls to 
perform intrusion detection. For example, Crosbie discloses that "[t]he kernel audit logs 
generally include aN the information about every system call executed on the host." 
Crosbie , par. [01 16] (emphases added). In contrast, Applicants' claims 36 and 53 recite 
"a set of system primitives that allocate or release said system resources" (emphasis 
added), which does not include aN the information about every system call. 

Examiner responds: 

It is respectfully noted that the applicant essentially argues that the prior art 
discloses more than what is recited by applicant's claims, and therefore can not disclose 
the claim limitations. The examiner respectfully notes that this argument is nonsensical, 
at least, in that the applicant fails to provide any logical reason as to how a disclosure of 
a set of features precludes a disclosure of a claimed subset of features within the set. 
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Furthermore, in response to applicant's argument that the references fail to show 
certain features of applicant's invention, it is noted that the features upon which 
applicant relies (i.e., require a specific type of system calls to perform intrusion 
detection; ". . . that allocate or release said system resources" . . . which does not include 
all the information about every system call) are not recited in the rejected claim(s). 

The examiner notes that the remaining of the applicant's remarks appear to be based 
upon the above unpersuasive arguments. The examiner finds these remarks to be 
unpersuasive for the same reasons. 



Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: 

See Notice of References Cited. 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See M PEP 
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§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jeffery Williams whose telephone number is (571) 272- 
7965. The examiner can normally be reached on 8:30-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is (703) 
872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



/Jeffery Williams/ 
Examiner, Art Unit 2437 

/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



